Winstep Forums
http://forums.winstep.net/phpBB2/

Digital Signature
http://forums.winstep.net/phpBB2/viewtopic.php?f=2&t=10906
Page 1 of 1

Author:  SJMarty [ Mon Dec 17, 2018 7:38 pm ]
Post subject:  Digital Signature

Are there plans to add a digital signature to the Nexus Ultimate/Xtreme installers and executables? Thanks.

Author:  winstep [ Mon Dec 17, 2018 7:40 pm ]
Post subject:  Re: Digital Signature

I thought about it several times - not sure it's worth it though.

Author:  nexter [ Mon Dec 17, 2018 8:37 pm ]
Post subject:  Re: Digital Signature

winstep wrote:
I thought about it several times - not sure it's worth it though.

Probably not. Personally, I can live without them.

Author:  winstep [ Mon Dec 17, 2018 8:50 pm ]
Post subject:  Re: Digital Signature

Well, it's less trouble with AV software. This said, it will probably interfere with the current protection scheme embedded in the executables. I was never able to get a clear answer as to what the digital signature does - I imagine it just appends a block of data to the end of the executable, but if the size of that block of data is variable then that would be a major problem.

Plus certificates are not exactly cheap - nor are they any indication that the software is secure, i.e.; you get exactly the same re-assurance if you download directly from the Winstep web site.

Author:  SJMarty [ Tue Dec 18, 2018 2:48 am ]
Post subject:  Re: Digital Signature

winstep wrote:
Well, it's less trouble with AV software. This said, it will probably interfere with the current protection scheme embedded in the executables.

I did do some searching before posting my question and what I found actually prompted me to post. The thread I found was over two years old but was actually quite interesting. It gave some history of theming and ultimately answered the question of why themers charge. What grabbed my attention in the thread was this...
winstep wrote:
Despite this, somebody figured out that they could still use Microsoft's own skinning engine by illegally patching a Windows DLL to by-pass the digital signature requirement - and thus StyleXP was born, the only real 'competitor' WindowBlinds ever had.

I'm finally updating to Windows 10 on all of my machines and when I installed Nexus Ultimate, I got the warnings about the lack of digital signature. I then started poking around the forum and found the aforementioned thread. Then, I read this in the sticky thread concerning performance and anti-virus/anti-malware software...
winstep wrote:
Provided the user has downloaded Nexus or other Winstep applications from the official Winstep web site (always the preferred place) *or* reputable download sites like Cnet, Download.com, BaixaKi, Softpedia, etc... he should be at no risk.
However, and I can't stress this enough, you should NEVER download software from sites like RapidShare, MegaUpload, Fileupload, etc... Winstep software downloaded from those types of sites is not only nearly never the latest version as it will often come with nasty 'add-ons'.

Knowing what little I do about digital signatures, my understanding is that their purpose is to guarantee that the software/driver was created by the manufacturer and that it hasn’t been modified since it was created. With driver signature enforcement, you can be assured that the software/driver is authentic and has not been altered by a malicious third party.

At the end of the day, even though I know it can be tampered with and my anti-virus software is going to warn me about it, I'm not going to stop using Nexus because it doesn't have a digital signature. I've used it for a long time and trust the software - as long as I download it from here. However, someone just checking Winstep stuff out for the first time, may not have the same sense of comfort using the software when all the bells start going off. Maybe the digital signature is a false sense of security...I don't know. What I do know is that not having a signature causes some (most?) security software to say "something is wrong here" and then asks the user what to do. Seems like if you could avoid that happening, potential new users may be less likely to cancel the install.

Sorry for the long post. Just wanted to give you some food for thought...

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/